Threat Analysis: AI-Powered Phishing Surge, Novo Nordisk Clinical Data Breach, and What UK SMBs Must Do Now
Hello, Mauven here.
This is your Daily Threat Analysis for 12th June 2026.
Three stories worth your time today. None of them involve a zero-day. None of them require a sophisticated nation-state actor with unlimited resources. All three involve phishing, human error, or both. That should tell you something about where your energy is better spent.
Google Sues AI-Powered Phishing Operation. The Lawsuit Is New. The Tactic Is Not.
Google has filed suit against an alleged Chinese phishing operation operating under the name ‘Outsider Enterprise’, run primarily through Telegram. The group is accused of using AI to generate and distribute millions of fraudulent SMS messages impersonating trusted brands, delivery services, financial institutions, government agencies.
The lawsuit alleges the operation was a commercial enterprise: toolkits sold to other fraudsters, infrastructure rented by the message, brand impersonation as a service. Google’s legal action is targeting the operators directly, seeking to disrupt the infrastructure and establish legal precedent around the misuse of its AI products.
Here is what the coverage does not say clearly enough: this model, Telegram-based, AI-assisted, commercially operated phishing-as-a-service, has been active in various forms targeting UK consumers and businesses for several years. What has changed is the quality of the output. AI-generated phishing messages are increasingly indistinguishable from legitimate communications. The grammatical errors and oddly formal phrasing that used to be the tell are disappearing.
For UK SMBs, the relevance is direct. Your staff are receiving these messages on their personal phones and, increasingly, on work devices. The impersonation of trusted brands means the messages look like they are from HMRC, from Royal Mail, from your bank, from Microsoft. Your finance team, your office manager, your senior partner, all of them are targets, and the messages they are receiving are better than anything a human fraudster would write at scale.
The advisory position on this has not changed. The NCSC has published guidance on phishing-resistant authentication and staff awareness for years. The fact we are still reporting phishing as the dominant initial access vector in 2026 tells you everything about the gap between guidance published and guidance implemented.
What you should do:
- Implement DMARC, DKIM, and SPF on all outbound email domains. This does not stop smishing, but it reduces the credibility of email-based impersonation of your own brand.
- Review whether staff have a clear, low-friction way to report suspicious messages, SMS included. If the process is complicated, they will not use it.
- Check whether your IT provider has deployed phishing-resistant MFA (hardware keys or passkeys) on your most sensitive accounts. Standard TOTP codes can be intercepted in real-time by adversary-in-the-middle proxies. This is not theoretical.
Novo Nordisk Clinical Trial Data Breach: Entry Point Was a Phishing Email
Novo Nordisk, the Danish pharmaceutical company behind Ozempic and Wegovy, disclosed today that attackers accessed and stole data relating to clinical trial participants. The breach was made public on the same day the UK’s medicines regulator approved a pill form of Wegovy, timing that will not have been lost on the communications team.
The company states that the exposed records were pseudonymised, meaning participant names were replaced with codes. That is the good news, and it is genuine mitigation. Pseudonymisation does not equal anonymisation, but it meaningfully reduces the harm to individuals if the data cannot be re-linked without the key.
The entry point, according to reporting from both BleepingComputer and The Register, was a phishing email.
Let that sit for a moment. Novo Nordisk is one of the largest pharmaceutical companies in the world. They have dedicated information security teams. They operate under strict regulatory frameworks in multiple jurisdictions. Their clinical trial data is among the most sensitive and commercially valuable information they hold.
And someone clicked a phishing email.
I am not saying this to mock the organisation. I am saying it because the ‘we are too small to be targeted’ argument, and its close relative ‘our staff would never fall for that’, are both demonstrably false at every scale. If this can happen at Novo Nordisk, it can happen at a 50-person professional services firm in Leeds.
The specific relevance for UK businesses operating in healthcare, life sciences, or any sector handling clinical or patient-adjacent data: the ICO’s enforcement posture on data minimisation and access controls is not softening. If you hold sensitive personal data, and under UK GDPR, clinical or health data carries enhanced obligations, a breach of this type is a notifiable event within 72 hours. Most SMBs do not have a tested incident response process. Most find out they do not have one when they need one.
What you should do:
- If you handle any category of special category data under UK GDPR (health, biometric, religious belief, and so on), your incident response plan should be documented and tested. Not drafted and filed. Tested.
- Review who in your organisation has access to clinical or patient-related data. Least-privilege access is not a technical luxury. It is the difference between a breach affecting one dataset and a breach affecting all of them.
- Confirm you have a Data Protection Officer or designated contact point, and that they know the 72-hour reporting clock starts from when you become aware of a breach, not when you finish investigating it.
💡 If you are unsure whether your business has the right controls in place, the Small Business Cyber Security Group can help. Graham Falkner’s practical security assessments are designed specifically for UK SMBs, no jargon, no vendor pitch, just an honest look at where you stand. Find out more at the link below.
Plymouth Council CC’d Hundreds of Families. It Has Been Reported to the ICO.
Plymouth City Council sent a mass email to families of home-schooled children and put all recipients in the CC field instead of BCC. Several hundred email addresses were exposed to every recipient on the list.
This is not a sophisticated attack. There is no threat actor involved. It is a procedural failure that organisations have been making since email was invented, and the ICO has been fining organisations for it since the GDPR came into force.
I am including it today because it is a useful illustration of where UK data breaches actually come from. The narrative around cyber threats tends toward dramatic, nation-state hackers, ransomware gangs, sophisticated intrusions. The reality, as the ICO’s enforcement record consistently shows, is that a significant proportion of notifiable breaches in the UK are exactly this: someone sent an email wrong.
For context: Article 33 of UK GDPR requires you to report a personal data breach to the ICO within 72 hours of becoming aware of it, where the breach is likely to result in a risk to individuals’ rights and freedoms. Exposure of email addresses to other recipients often meets that threshold, particularly where the recipients are members of a group defined by a sensitive characteristic, in this case, their decision to home-school, which may itself be sensitive in some circumstances.
Plymouth have confirmed they have reported to the ICO. The ICO will assess whether enforcement action is warranted based on the circumstances and any mitigating steps taken.
The NCSC published guidance on bulk email practices and BCC use years ago. The fact we are still having this conversation tells you everything about how seriously some organisations take it.
What you should do:
- If your business sends bulk emails, newsletters, event invitations, client updates, confirm today whether your process defaults to BCC or whether it requires deliberate action to protect recipient privacy.
- Consider whether you should be using a proper email marketing platform with suppression lists and preference management rather than sending directly from your mail client. Mailchimp, Brevo, and similar tools have BCC built into their architecture.
- Brief your team. This is five minutes in a team meeting. ‘When you send to a group, use BCC unless recipients need to see each other.’ It is not complicated. It just needs to be said.
Also Worth Noting: Microsoft WUSA Update Fix
Microsoft has resolved a known issue where Windows updates released since May 2025 failed to install when deployed via the Windows Update Standalone Installer (WUSA) from a network share. If you are managing Windows devices centrally and have had unexplained update failures over the past year, this is worth revisiting. Unpatched Windows devices are a persistent entry point for ransomware and commodity malware campaigns targeting UK SMBs. Verify your update compliance.
Summary for Today
Today’s brief is not about zero-days. It is about the unglamorous, persistent reality of how UK businesses actually get compromised:
- AI is making phishing harder to detect at scale
- Phishing is still the dominant initial access method, regardless of the size or sophistication of the target
- Procedural failures around data handling carry real ICO enforcement risk
- Human behaviour remains the most exploited attack surface in UK business
None of this is new. The guidance exists. The question is whether it has been implemented.
📬 The Daily Threat Analysis goes out every working day when there is something worth saying. If you are not already subscribed, you can sign up via Substack to get it directly in your inbox. Mauven covers what the official advisories are not telling you, and Graham follows up with the practical steps. Subscribe below.